ITD BSides PDX Slides

Interactive Threat Defense:
Incident Response, Threat Intel,
and Red Teaming (oh my!)
Presenter:
Eric Goldstrom

Agenda
o Introduction
o Incident Response
o Threat Intelligence
o Red Team
o Anecdotes
o Summary/Questions
-What it is
-Why it’s important
-How to get started

whoami
o Eric Goldstrom
o Security Incident Response Manager
o MS in Computer Security
o OSCP, CISSP, SANS certs
o Hiking, Records, Retro Videogames
o Work at Cambia Health Solutions
o Disclaimer: Thoughts do not reflect those of my employer

Background
o Discussed for a couple years, officially started
middle of last year
o Allows us to view events through the lens of
attacker
o Culmination of 3 InfoSec programs
oIncident Response
oCyber Threat Intelligence
oRed Team

Interactive Threat Defense
“A proactive, data driven, hands on approach to identify
risks and validate security controls.”
Incident Response
 Escalation and de-
escalation of incidents
in a timely manner
 Limit incident damage
and reduce recovery
time/costs
 Prepare for future
incidents and learn
from previous
incidents
Threat Intelligence
 Consume and act
upon industry related
threat intel data
 Proactively hunt for
adversaries using
known tactics
 Create deception
capabilities to learn
about and slow
attackers
Red Teaming
 Security validation
using adversarial
techniques
 MITRE ATT&CK
 Offensive security
training, awareness,
and readiness
 Attacker perspective
consulting

I Know What You’re Thinking…
o “Unicorn” is required
o Sounds like SecOps
o Not enough resources for this
o This is just a “Purple Team”

Workflows, Tracking, and Reporting

Defining an Incident
o Follow regulatory/compliance definitions first!
o NIST’s: An occurrence that actually or potentially jeopardizes
the confidentiality, integrity, or availability of an information
system or the information the system processes, stores, or
transmits or that constitutes a violation or imminent threat of
violation of security policies, security procedures, or acceptable
use policies.
Incident Response

Security Events…
Incident Response
An ongoing or imminent information security circumstance that
should be investigated to determine whether it has potential to
become a security incident

Methodology - Ongoing
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
Incident Response
Source: SANS Incident Handlers Handbook

Methodology - Imminent
Incident Response

Keys to Success
1. Pay close attention to Lessons Learned
2. Don’t let an incident go to waste
3. Practice makes perfect
4. Constantly improve visibility
Incident Response

Addressing Visibility/Detection
Incident Response

Threat Intelligence Threat Intel
Partial Credit : http://geraintw.blogspot.com

Note About the Dark Web
o Common concerns:
o Technical barrier to entry
o Getting into “trouble”
o If you’re really curious, start with:
o Darkweb “Search Engine” like Ahmia/DarkSearch
o Dorks supported! 
leak* AND (html_content:password OR title:<your_org>^3)
Threat Intel

Threat Intelligence
Hacktivists
Cybercriminals
Opportunists
Nation States
Threat Intel
Your Organization Threat Actors

Traffic Light Protocol
What to share and
what not to share
Source: https://www.us-cert.gov/tlp

Join Communities/Sub to Feeds
o Information Sharing and Analysis Center
o Find your industry specific ISAC
o US-CERT
o DHS Automated Indicator Sharing
o Recorded Future Cyber Daily
o Socials
o Twitter – Tweetdeck with InfoSec feeds
o Reddit (yes, reddit) –InfoSec multi-reddit
/r/vrd+Information_Security+RELounge+ReverseEngineering+antiforensic
s+blackhat+blueteamsec+compsec+computerforensics+crypto+hacking+
netsec+pwned+securityCTF+threatintel+websec
Threat Intel

Threat Intel for Vulnerability
Management
Problem Solution With Threat Intelligence
Limited contextual information makes prioritizing
patching difficult
Improve prioritization with real-world context on
vulnerabilities
Relying on vulnerability databases results in delayed
notifications and increased risk
Significantly reduce risk by patching vulnerabilities as
soon as they are discussed in the wild
Vague, non-quantified risk scores, often in the form of
“stoplight charts” that show green, yellow, and red
threat levels
Custom risk scores that make defined measurements of
risk based on factors uniquely relevant to your
organization
Estimates about threat probabilities and costs that are
hastily compiled, based on partial information, and
riddled with unfounded assumptions
Risk reporting that’s transparent about assumptions,
variables, and outcomes, and show specific loss
probabilities in financial terms
Threat Intel
Source: RF VM Blog

Third Party Breaches
o Internal and External comms templates
o Understand root cause and remediation
o Increase scope to news/blogs
o If not directly involved, use the 3rd party’s
lessons learned
Threat Intel

Red Teaming
o Red Teams are designed to validate
security controls and emulate the tactics,
techniques, and procedures (TTPs) of
adversaries.
o Identifies gaps in security products
Red Team

Create Rules of Engagement (ROE)
1. Obtain permission to conduct Red Team activities.
2. Do not intentionally cause customer Service Level Agreement (SLA)
impact or downtime.
3. Do not intentionally access or modify customer data.
4. Do not intentionally perform destructive actions.
5. Do not weaken in-place security protections.
6. Safeguard vulnerability and other sensitive/critical information
within the Red Team and only share those with a need-to-know.
Red Team
Source: Microsoft Red Team, additional ROE at https://redteams.net/rtrules

Hacker Methodology
Red Team
Footprinting
Enumeration
Initial Access
Discover/Persist
/Cover Tracks
Exfil/C2

MITRE ATT&CK in 5 Steps
1. Create metrics spreadsheet
https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-
hunt-team.html
2. Use Red Canary unit tests
https://github.com/redcanaryco/atomic-red-team
3. Check security tools for detections/alerts
4. Score outcome in the spreadsheet
5. Track and improve maturity over time
Red Team

Testing - Easy Mode
1. Download Atomic Red Team execution framework
2. Run install script, then import the module
3. Show all tests with no execution
Red Team

How to improve scores
o Work with vendors!
o Endpoint Detection and Response (EDR) or…
o Sysmon - Windows
o https://github.com/olafhartong/sysmon-modular
o Auditd - Unix
o https://github.com/bfuzzy/auditd-attack
o Network Detection and Response (NDR) or…
o Zeek
Red Team

Red Team Infrastructure Red Team
Automate:
https://github.com/obscuritylabs/RAI
Terraform: https://rastamouse.me

Footprinting
o theharvester
theharvester –d <company>.com –b all > out.txt
o recon-ng
o Maltego
Red Team

Enumeration
nmap -n -sS -Pn --randomize-hosts --max-retries 1 --stats-
every 10m --max-scan-delay 20 --defeat-rst-ratelimit –top-
ports 20 -oA <filename> --open <iprange>
./EyeWitness.py -f <filename> --web --results 1000
--prepend-https --resolve --timeout 10 --jitter 3
amass –src –ip –config amass_config.ini –d <your_org.com>
Red Team

Exploitation/Initial Access
o Spear Phishing
o External brute force/cred stuffing
o 3rd party pentest re-testing
o Ad-Hoc testing depending on business need
Red Team

How to mature…
o Upgrade to Breach Attack Simulation (BAS)
o Caldera + Navigator
o Active Directory “Audit”
o LLMNR/NBT-NS Responder
o Kerberoasting
o Pass the Hash
o Living of the Land TTPs
o https://gtfobins.github.io - Unix
o https://lolbas-project.github.io - Windows
Red Team

Example #1
o Threat Intel – Researcher develops RCE 0-day
o Incident Response – Executes imminent
security event methodology, reaches out to
stakeholders to emergency patch.
o Red Team – Modifies and runs POC, conducts
training for stakeholders.

Example #2
o Red Team – Gains initial access to system
o Incident Response – Runs IR handler
playbooks to investigate if it’s been
previously compromised
o Threat Intel – Research and hunt

Full Process
ITD Intake
Detect
(Log)
Feed
(Alert)
Protect
Automate
ITD Intake:
IR Lessons Learned
Threat Intel Data
Red Team Findings
1
2
34
5

Metrics
o Input:
o # Threat feeds being ingested and analyzed
o # of MITRE ATT&CK tactics tested by Red Team by quarter
o # of Critical/High vulnerabilities manually identified by Red Team
o # of breach simulation events executed by Red Team (incl. Breach Attack
Simulation tool)
o Analysis:
o # of tactics, techniques, and procedures (TTPs) detections added to SIEM workflow
o # days/hours of Mean Time to Detect (MTTR) and Mean Time to Response (MTTR)
o Output:
o # of Security Events to include CTI, IR, and RT
o Instances where threat intelligence has led to re-prioritization (e.g., emergency
patching, re-architecting)
o # of unconventional measures of protection

Side Benefits of ITD
o Highly interested InfoSec candidates
o Helps to reduce burnout
o Sense of urgency during remediation
o Converts Risk Management from Reactive
to Proactive

Summary - People
o Offensive and Defensive Background
o Tribal Knowledge a Plus
o Curious
o Imaginative
o Collaborative
o Enjoys Learning
o Possibly an InfoSec Generalist

Summary - Processes
o Establish Requirements
o Create Workflows
o Combined Dashboard, Comms, and Intake
o Build/Follow IR Plan and Process
o Utilize Frameworks
o Customize based off of business needs
o Execute on Roadmap Items

Summary - Technology
o Security Information and Event Management (SIEM)
o Endpoint Detection and Response (EDR)
o Or similar (sysmon, Osquery, auditd)
o Threat Intelligence Platform (TIP)
o Security Orchestration, Automation, and Response
(SOAR)
o Red Team attack platforms/infrastructure

Thank You!
Eric Goldstrom
@RetroEricG

ITD BSides PDX Slides

More Related Content

What's hot (20)

Similar to ITD BSides PDX Slides (20)

Recently uploaded (20)

ITD BSides PDX Slides

Editor's Notes